Like most of the requirements, most successful organizations are doing things that meet the requirements, the challenge is setting the stage for it (manual or procedure) and capturing evidence.

I am a HUGE believer in the process approach, so I see RTB applied at the process level, rather than some centralized Risk process.

I plan to capture evidence in our current methods. For example, contract review and production planning. A few changes in wording in the procedure and form explains why looking at capacity is a risk assessment.

As we all know, any successful organisation would ensure they take action needed to keep their customers satisfied. They would therefore naturally take into account any potential risks that could impact their ability to do so.

Coming to the satisfaction of the external auditors, one approach could be to list out potential risks along with the probability of occurrence of each. If the probability is very low/remote, it wouldn't justify investing into mitigation of the same. And if the probability is moderate to high, the organisation would already have taken corresponding and proportionate mitigation action. So all that is needed is to prepare such a list and show the same to an auditor if he insists on seeing something in black & white.

Most good companies have already been doing some degree of Risk based Thinking. Conceptually, it is not that new. But, they have not kept very cohesive records in each case.

I have been suggesting clients develop a simple multi-column matrix that shows what risks were identified, and what actions were taken. Add some simple columns for dates and responsibilities, and use it for each new project. Very similar to a Corrective Action Tracker.

I also recommend clients should analyze each process in their system, for any remaining risks, and consider if any actions should be taken. The same matrix can be applied to that exercise.

I do agree with documenting the risks identified, not to satisfy the auditor but to help keep all of the responsible persons, as well as new process members, appraised of the status and determined areas of focus.

I have spent a fair amount of my time encouraging my clients to take credit for that which has already been done; checklists, as lowly as they seem, are absolutely fair to point to as RBT as long as people can describe their role in helping to control risk. RBT need not be complex to be effective, but people in the processes do need to understand it within the extent of their responsibility and authority.

This standard provides us with a chance to demystify system management and make it more holistic. There has been a great deal of uncertainty, mostly among those who gravitate toward complexity.

Right now the authors are repeatedly saying ISO 9001:2015 requires no preventive action. But this is baloney. TC176 may have remove the clause specifying preventive action but for RM to be effective it must predominantly be preventive.

Quote:

In Reply to Parent Post bypldey42

For someone to say that the new ISO 9001 requires no preventive action is, I think, misleading.

In an effectively managed system there is no discernible difference between Continual Improvement and Preventive Action.

Quote:

In Reply to Parent Post byStijloor

You may be Jennifer, but considering how poorly many organizations and internal/external auditors have addressed the "Process Approach" (even after 14 years), I am very concerned. Unless there is a standard audit approach based on actual RBT evidence rather than auditor's opinion, I am not convinced that this RBT is a good idea.

My DNV auditors do a pretty good job of evaluating the state of the QMS as a whole: robust processes, plenty of DFMEA and PFMEA in evidence (even when not required), extremely low cost of poor quality, extremely high ratings from customers, years of 99.8%+ on time delivery, etc. and figuring out that you are taking a "process approach". Some better than others.

Quote:

In Reply to Parent Post byJen Kirley

"What does that look like?" is an entry question. No, I don't expect documentation just to appease an auditor. Far from it. People can also show me outcomes, describe examples, we can review projects, etc. Unless records are required, of course. And there will be the clause requiring documentation to help control things as needed, similar to 14001 approach. I'm more comfortable with that than some auditees will be if they never worked with 14001 or 18001.

As for Boeing, my understanding is they operate to the aerospace standard, yes? I'm not an aerospace auditor but my guess is that they have project requirements like automotive does. If I was auditing the 787 project it is indeed worth looking at whether or not they applied risk based thinking. Did they just pick any old supplier or did they qualify the supplier first? Did they try to anticipate the inherent challenges of all that production outsourcing, and other issues? If they used an FMEA approach then they applied risk based thinking. As an auditor I am chartered with having enough imagination to consider whether the auditee's approach conforms to the standard, why or why not.

You are a rare bird, Jen. In my experience, the majority of auditors have little to no imagination. I expect that your imagination would allow you to take the same approach as in my comment above.

Quote:

In Reply to Parent Post byJen Kirley

You are right to be concerned. Observing the variation that I do even in document control expectations, this one is going to be hard. Auditors are notoriously difficult to calibrate. I see it all the time.

Auditor calibration is a finding rich environment.

Quote:

In Reply to Parent Post bySidney Vianna

There will be a percentage of organizations AND auditors that will embrace the intent of RBT and do a good job at it.

I expect DNV and their auditors to be among them.

Quote:

In Reply to Parent Post bypldey42

Maybe organizations seeking certification should identify the risk that the auditor will not understand their risk-based approach ...

I have: Risk Priority Number = 910.

My company cannot design power conversion electronics that will survive absolutely everything that comes down the input line, or back up the output line. To do so would create a product that is so expensive that no customer would buy it. Therefore, we evaluate the risk of potential (pun intended) events outside of the expected parameters. Then we design for the most likely suspects. Then we verify and validate against a variety of SAE specifications to assure that we got it right. Only then do we release the product. I am currently dividing a 3 year span of warranty returns by a 2 year span of shipments. My line item return rate is less than 1%. My warranty costs are less than 0.5% of total revenue. My management approves that these rates and costs are acceptable risks. That approval is documented during Management Review.

And that's just page 1 of this thread. I am in the middle of addressing any changes I need to make to my Procedures Manual to address the 2015 versions so I am reading up...

Prevention is still there under Section 10 Improvement. How many of you have said, thought or discussed in a meeting: "Some day that is going to bite us in the ass"? Well, write down what "that" is. Treat it like it already happened. Do root cause analysis and corrective action (no containment, YAY, it didn't happen!).